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Abstract. Baldi et al. proposed a variant of McEliece's cryptosystem. The main idea is to replace 
its permutation matrix by adding to it a rank 1 matrix. The motivation for this change is twofold: it 
would allow the use of codes that were shown to be insecure in the original McEliece's cryptosystem, 
and it would reduce the key size while keeping the same security against generic decoding attacks. The 
fV| authors suggest to use generalized Reed-Solomon codes instead of Goppa codes. The public code built 

■ with this method is not anymore a generalized Reed-Solomon code. On the other hand, it contains a 

very large secret generalized Reed-Solomon code. In this paper we present an attack that is built upon 
a distinguisher which is able to identify elements of this secret code. The distinguisher is constructed 
by considering the code generated by component- wise products of codewords of the public code (the 
so-called "square code"). By using square-code dimension considerations, the initial generalized Reed- 
Solomon code can be recovered which permits to decode any ciphertext. A similar technique has already 
been successful for mounting an attack GOT12 against a homomorphic encryption scheme suggested 
by |BL11] , This work can be viewed as another illustration of how a distinguisher of Reed-Solomon 
codes can be used to devise an attack on cryptosystems based on them. 
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1 Introduction 

Reed-Solomon codes have been suggested for the first time in a public-key cryptosystem in |Nie86j 
but it was shown to be insecure in [SS92J . The attack recovers the underlying Reed-Solomon allowing 
the decoding of any encrypted data obtained from a McEliece-type cryptosystem based on them. 
The McEliece cryptosystem [McE78j on the other hand uses Goppa codes. Since its apparition, 
it has withstood many attacks and after more than thirty years now, it still belongs to the very 
few unbroken public key cryptosystems. This situation substantiates the claim that inverting the 
encryption function, and in particular recovering the private key from public data, is intractable. 

No significant breakthrough has been observed with respect to the problem of recovering the 
private key [Gib 91|LS01| . This has led to claim that the generator matrix of a binary Goppa code 
does not disclose any visible structure that an attacker could exploit. This is strengthened by the fact 
that Goppa codes share many characteristics with random codes: for instance they asymptotically 
meet the Gilbert-Varshamov bound, they typically have a trivial permutation group, etc. This is 
the driving motivation for conjecturing the hardness of the Goppa code distinguishing problem, 
which asks whether a Goppa code can be distinguished from a random code. This has become 
a classical belief in code-based cryptography, and semantic security in the random oracle model 
[NIKM08 , CCA2 security in the standard model |DMQN09| and security in the random oracle 
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model against existential forgery [Dal07| of the signature scheme [CFSOlJ are now proved by using 
this assumption. 

In |FGO+ 11] , an algorithm that manages to distinguish between a random code and a Goppa 
code has been introduced. This work without undermining the security of [McE78j prompts to 
wonder whether it would be possible to devise an attack based on such a distinguisher. It was found 
out in |MCP12j that our distinguisher |FGO + ll] has an equivalent but simpler description in terms 
of the component-wise product of codes. This notion was first put forward in coding theory to unify 
many different algebraic decoding algorithms [Pel92 K6t92]. Recently, it was used in [MCMMPlla] 
to study the security of cryptosystems based on Algebraic-Geometric codes. Powers of codes are 
also studied in the context of secure multi-party computation (see for example [CCCX09 CCX11| ). 
This distinguisher is even more powerful in the case of Reed-Solomon codes than for Goppa codes 
because, whereas for Goppa codes it is only successful for rates close to 1, it can distinguish Reed- 
Solomon codes of any rate from random codes. 

In this paper we propose a cryptanalysis against a variant of McEliece's cryptosystem [McE78 
proposed in [BB C + li~] which is based on on the aforementioned version of our distinguisher pre- 
sented in [MCP12] . The main idea of this proposal is to replace the permutation matrix used to 
hide the secret generator matrix by another matrix of the form II + R where II is a permuta- 
tion matrix and R is a rank 1 matrix. The motivation for this change is twofold: it would allow 
the use of codes that were shown to be insecure in the original McEliece's cryptosystem. It also 
allows to reduce the size of the keys which is a major drawback in code-based cryptography. In 
this new setting it was suggested to use generalized Reed-Solomon codes. The public code obtained 
with this method is not anymore a generalized Reed-Solomon code. On the other hand, it contains 
a very large secret generalized Reed-Solomon code. Our attack consists is identifying this secret 
Reed-Solomon code by picking at random a very small number of elements of the public code and 
computing the dimension of the vector space generated by component- wise products of these ele- 
ments with the public code. This technique is precisely what enables to distinguish a Reed-Solomon 
code from a random code. In the case at hand, the dimension of the vector space is much smaller 
when all elements belong to the secret Reed-Solomon code than in the generic case. This is precisely 
what allows to recover the secret Reed-Solomon code. Once this secret code is obtained, it is then 
possible to completely recover the initial generalized Reed-Solomon code by using the square-code 
construction as in |WielO| . We are then able to decode any ciphertext. 

It should also be pointed out that the properties of Reed-Solomon codes with respect to the 
component-wise product of codes have already been used to cryptanalyze a McEliece-like scheme 
[BL05j based on subcodes of Reed-Solomon codes [WielOj . The use of this product is nevertheless 
different in [WielOj from the way we use it here. Note also that our attack is not an adaptation of 
the Sidelnikov and Shestakov approach [SS92]. Our approach is completely new: it illustrates how 
a distinguisher that detects an abnormal behavior can be used to recover the private key. It should 
also be added that a very similar technique has been successful to attack [GOT12J a homorphic 
encryption scheme based on Reed-Solomon codes [ BL11] , 



Organisation of the paper. In Section [2] we recall important notions from coding theory. In 
Section [3] we describe the cryptosystem proposed in |BBC + 11 and in Section [5] we explain an 
attack of this system. 
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2 Reed-Solomon Codes and the Square Code 

We recall in this section a few relevant results and definitions from coding theory and bring in the 
fundamental notion which is used in the attack, namely the square code. A linear code ^ of length 
n and dimension k over a finite field GF(q) of q elements is a subspace of dimension k of the full 
space GF(q) n . It is generally specified by a full-rank matrix called a generator matrix which is a 
k x n matrix G (with k < n) over GF(q) whose rows span the code: 

If = [uG | u G GF(q) k } . 

It can also be specified by a parity-check matrix H, which is a matrix whose right kernel is equal 
to the code, that is 

<*? = {x G GF{q) n | Hx T = 0} , 

where x T stands for the column vector which is the transpose of the row vector x. The rate of 
the code is given by the ratio K Code-based public-key cryptography focuses on linear codes that 
have a polynomial time decoding algorithm. The role of decoding algorithms is to correct errors 
of prescribed weight. We say that a decoding algorithm corrects t errors if it recovers u from the 
knowledge of uG + e for all possible e G F™ of weight at most t. 

Reed-Solomon codes form a special case of codes with a very powerful low complexity decoding 
algorithm. It will be convenient to use the definition of Reed-Solomon codes and generalized Reed- 
Solomon codes as evaluation codes 

Definition 1 (Reed-Solomon code and generalized Reed-Solomon code). Let k and n be 

integers such that 1 ^ k < n ^ q where q is a power of a prime number. Let x = (x\, . . . , x n ) be an 
n-tuple of distinct elements ofGF{q). The Reed-Solomon code RSfc(a;) of dimension k is the set of 
(p(xi), . . . ,p{x n )) when p ranges over all polynomials of degree ^ k — 1 with coefficients in GF(q). 
The generalized Reed-Solomon code GHSk(x,y) of dimension k is associated to a couple (x,y) G 
GF(q) n x GF(q) n where x is chosen as above and the entries yi are arbitrary non zero elements 
in GF(q). It is defined as the set of (yip(xi), . . . ,y n p(x n )) where p ranges over all polynomials of 
degree ^ k — 1 with coefficients in GF(q). 

Generalized Reed-Solomon codes are quite important in coding theory due to the conjunction 
of several factors such as: 

1. Their minimum distance d is maximal among all codes of the same dimension k and length n 
because d is equal to n — k + 1. 

2. They can be efficiently decoded in polynomial time when the number of errors is less than or 

n — k 

2 ' 

It has been suggested to use them in a public-key cryptosystem for the first time in [Nie86j but 
it was discovered that this scheme is insecure in [SS92] . Sidelnikov and Shestakov namely showed 
that it is possible to recover in polynomial time for any generalized Reed-Solomon code a possible 
couple (x,y) which defines it. This is all what is needed to decode efficiently such codes and is 
therefore enough to break the Niederreiter cryptosystem suggested in [Nie86j or a McEliece type 
cryptosystem |McE78| when Reed-Solomon are used instead of Goppa codes. 

We could not find a way to adapt the Sidelnikov and Shestakov approach for recovering the 
secret Generalized Reed-Solomon code from the public generating matrix G pu b in the Baldi et al. 
scheme. However a Reed-Solomon displays a quite peculiar property with respect to the component- 
wise product which is denoted by a * b for two vectors a = (a\, . . . , a n ) and b = (pi, . . . , b n ) and 

which is defined by a*b = f (a\b\, . . . , a n b n ). This can be seen by bringing in the following definition 



equal to 



d-l 
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Definition 2 (Star product of codes — Square code). Let si and S$ be two codes of length 
n. The star product code denoted by < si * 3& > of si and & is the vector space spanned by all 
products a* b where a and b range over si and SB respectively. When 3$ = si, < si ' -ksi > is called 
the square code of si and is denoted by < si 2 > . 

It is clear that < si * 8$ > is also generated by the * bj's where the aj's and the b,'s form a 
basis of si and SS respectively. Therefore 

Proposition 1. 

dim(< si -k £3 >) < dim(^) dim(^). 

We expect that the square code when applied to a random linear code should be a code of dimension 
of order min | ( k ^) , n\. Actually it can be shown by the proof technique of |FGO + li~] that with 

probability going to 1 as k tends to infinity the square code is of dimension min | (1 + o(l)),nl 

when k is of the form k = o(n 1//2 ), see also |MCP12j . On the other hand generalized Reed Solomon 
codes behave in a completely different way 

Proposition 2. < GKSk(x,y) 2 >= GRS 2 fc -i(x,y*y). 

This follows immediately from the definition of a generalized Reed Solomon code as an evaluation 
code since the star product of two elements c = (yip(xi), . . . , y n p(x n )) and c' = (yiq(xi), . . . , y n q{%n)) 
of GRSfc(ic, y) where p and q are two polynomials of degree at most k — 1 is of the form 

c*c' = (yjp(x 1 )q(x 2 ), ylp{x n )q{x n )) = {y\r{x x ), ylr(x n )) 

where r is a polynomial of degree < 2k— 2. Conversely any element of the form (y 2 r(xi), . . . , y 2 r(x n )) 
where r is a polynomial of degree less than or equal to 2k — 1 is a linear combination of star products 
of two elements of GRS^(x,y). 

This proposition shows that the square code is only of dimension 2k — 1 when 2k — 1 < n, which 
is quite unusual. This property can also be used in the case 2k — 1 > n. To see this, consider the 
dual of the Reed-Solomon code. The dual c ta ± of a code ^ of length n over GF{q) is defined by 

^ = {x g GF(q) n \x • y = 0, Vy G tf} , 

where x ■ y = ^ Xjy, stands for the standard inner product between elements of GF{q) n . The dual 
of a generalized Reed-Solomon code is itself a generalized Reed-Solomon code, see [MS861 Theorem 
4, p.304] 

Proposition 3. 

GRS A (a;,y) ± = GRS n _ fc (a;,y') 
where the length o/GRS^Sjj/) is n and y' is a certain element of GF(q) n depending on x and y. 

Therefore when 2k — 1 > n a Reed-Solomon code GRS^(s, y) can also be distinguished from a 
random linear code of the same dimension by computing the dimension of < (GRSfc(s,2/) i ) >. 
We have in this case 

< (gRS^x,!/) 1 ) 2 >=< GRS„_ fc (K,y') 2 >=< GRS 2n _ 2fe -i(x, y' * y') > 

and we obtain a code of dimension 2n — 2k — 1. 
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The star product of two codes is the fundamental notion used in the decoding algorithm based 
on an error correcting pair |Pel92|Kot92] which unifies common ideas to many algebraic decoding 
algorithms. It has been used for the first time to cryptanalyze a McEliece-like scheme |BL05j based 
on subcodes of Reed-Solomon codes [ WielOj . The use of the star product is nevertheless different 
in [WielO| from the way we use it here. In this paper, the star product is used to identify for a 
certain subcode ^ of a generalized Reed-Solomon code GHSk(x,y) a possible pair (x,y). This 
is achieved by computing < c € 2 > which in the case which is considered turns out to be equal to 
< GRSfc(a,i/) 2 > which is equal to GRS2fc-i(#, y * y). The Sidelnikov and Shestakov algorithm 
is then used on < <^ 2 > to recover a possible (x, y * y) pair to describe < ff 2 > as a generalized 
Reed-Solomon code. From this, a possible (x,y) pair for which ^ C GHSk(x,y) is deduced. 



3 Baldi et al. Variant of McEliece's Cryptosystem 



The cryptosystem proposed by Baldi et al. in BBC + ll] is a variant of McEliece's cryptosystem 
[McE78] . The main idea is to replace the permutation matrix used to hide the secret generator 
matrix by one of the form U + R where II is a permutation matrix and R is a rank-one matrix. 
From the authors' point of view, this new kind of transformations would allow to use families of 
codes that were shown insecure in the original McEliece's cryptosystem. In particular, it would 
become possible to use generalized Reed-Solomon codes in this new framework. The scheme can be 
summarized as follows. 



Secret key. 

— G sec is a generator matrix of a generalized Reed-Solomon code of length n and dimension 
k over GF(q), 

def 

Q = II + R where U is an n x n permutation matrix, 

— R is a rank-one matrix over GF(q) such that Q is invertible, 

— S is a k x k random invertible matrix over GF(q). 

Public key. G pub d = S^GsecQ' 1 . 

Encryption. The ciphertext c E GF{q) n of a plaintext m € GF(q) k is obtained by drawing at 

random e in GF(q) n of weight less than or equal to and computing c = f mG pu b + e. 
Decryption. It consists in performing the three following steps: 

1. Guessing the value of eR; 

2. Calculating c' = f cQ — eR = mS' _1 G sec + eQ — eR = mS~ 1 G sec + eJ7 and using 
the decoding algorithm of the generalized Reed-Solomon code to recover mS 1 from the 
knowledge of c'; 

3. Multiplying the result of the decoding by S to recover m. 



The first step of the decryption, that is guessing the value eR, boils down to trying q elements 
(in the worst case) since R is of rank 1. Indeed, there exist a = f (ati, . . . , a n ) and (3 = f . . . , j3 n ) 

in GF(q) n such that R = f a T (3. Therefore eR = ea T j3 = 7/3 where 7 is an element of GF(q). The 
second step of the decryption can also be performed efficiently because eU is of weight less than or 
equal to ^5^, and errors can be corrected in polynomial time in a generalized Reed-Solomon 
code of length n and dimension k by well-known standard decoding algorithms. 
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4 Attack on the Baldi et al. Cryptosystem Using GRS Codes 



4.1 Case where 2k + 2 < n 

We define ^ sec and ^ pM 6 to be the codes generated by the matrices G sec and G pu b respectively. 
We denote by n the length of these codes and by k their dimension. We assume in this subsection 
that 

2k + 2<n (1) 



As explained in Section [3j ^ sec is a GRS code. It is also assumed in |BBC + 11 that the matrix 

Q = II + R is invertible. It will be convenient to bring in the code ^ = f ^^TI -1 . The matrix R is 
assumed to be of rank one. From Lemma [3] in Appendix El the matrix i?J7 _1 is also of rank one. 
Hence there exist a and b in GF(q) n such that: 

Rn 1 = b T a. (2) 



This code 'if, being a permutation of a generalized Reed-Solomon code, is itself a generalized Reed- 
Solomon code. So there are elements x and y in GF(q) n such that 'if = GRSk(x,y). There is a 
simple relation between f pn b an d ^ as explained by the following lemma. 

Lemma 1. Let A = — i+ a . b b. For any c in ^pub there exists p in f such that: 

c = p + (p ■ A)a. (3) 

The proof of this lemma is given in Appendix |Al From now on we make the assumption that 

A i f^. (4) 



If this is not the case then ^ pu b = c f = GRS^a:, y) and there is straightforward attack by applying 
the Sidelnikov and Shestakov algorithm [SS92]. It finds (x', y') that expresses ^ pu b as GRSj^a;', y'). 
This allows to easily decode ^p U b- 

Our attack relies on identifying a code of dimension k — 1 that is both a subcode of ^ pu b and 
the Generalized Reed-Solomon code f. It consists more precisely of codewords p + (p ■ A)a with p 
in f such that p ■ A = 0. This particular code which is denoted by is hence: 

tf x± d ^ f <jf n < A > x 

where < A > denotes the vector space spanned by A. It is a subspace of ^ pu b of codimension 1 if 
A ^ C f- L . This strongly suggests that < > should have an unusual low dimension since < c € 2 > 
has dimension 2k — 1 by Proposition [2j More exactly we have here: 

Proposition 4. 

1. <f$ ub > C <f 2 > + tf*a + <a*a> 

2. dim (< ^ ub >) < 3* - 1 



The first fact follows immediately from Lemma [T] and the proof of this proposition is given in 
AppendixO Experimentally it has been observed that the upper-bound is quite sharp. Indeed, the 
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dimension of < ^p ub > has always been founqj to be equal to 3/c — 1 in all our experiments when 
choosing randomly the codes and Q. 

The second observation is that when a basis gr l5 . . . ,g k of ^pub is chosen and I other random 
elements z%, . . . , Zi, then we may expect that the dimension of the vector space generated by all 
products Zi *gj with i in {1, . . . , 1} and j in {1, ... , k] is the dimension of the full space < ^p ub > 
when I ^ 3. This is indeed the case when I ^ 4 but it is not true for I = 3 since we have the 
following result. 

Proposition 5. Let £$ be the linear code spanned by {z^ * gj | 1 ^ i ^ 3 and 1 ^ j ^ fcj. It holds 
that dim {SB) < 3/c - 3. 

An explanation of this phenomenon is given in Appendix [A] Experimentally, it turns out that 
almost always this upper-bound is quite tight and the dimension is generally 3k — 3. But if we 
assume now that z±, z%, z% all belong to "^±, which happens with probability -\ since is a 

subspace of c tf pu b of codimension 1 (at least when A ^ ^ 7_L ), then the vectors z% * gj generate a 
subspace with a much smaller dimension. 

Proposition 6. If Z{ is in for i in {1, 2, 3} then for all j in {1, . . . , k}: 

Zi*dj C < ^ 2 > + <zi*a> + <2 2 *a> + <z 3 *a> (5) 
and i/i^ «s £/ie linear code spanned by {z^ * gj | 1 ^ i ^ 3 and 1 ^ j ^ A:} i/ten 

dim (#) < 2fc + 2. (6) 

The proof of this proposition is straightforward and is given in Appendix [AJ The upper-bound 
given in ([6]) on the dimension follows immediately from ([5|). This leads to Algorithm Q] which 
computes a basis of It is essential that the condition in ([T]) holds in order to distinguish the 
case when the dimension is less than or equal to 2 k + 2 from higher dimensions. 

The first phase of the attack, namely finding a suitable triple Z\,Z2,z$ runs in expected time 
of the form O (A 3 g 3 ) because each test in the repeat loop Q] has a chance of to succeed. Indeed, 

^ A x is of codimension 1 in ^ pu b and therefore a fraction - of elements of ^ pu b belongs to . The 
whole algorithm runs in expected time of the form O (fc 3 g 3 ) + O (k en = O (A 3 g 3 ) since k = O(q) 
and the first phase of the attack is dominant in the complexity. Once is recovered, it still 
remains to recover the secret code and a. The problem at hand can be formulated like this: we 
know a very large subcode, namely , of a GRS code that we want to recover. This is exactly the 
problem which was solved in jWielOj . Applying the approach of this paper to our problem amounts 
to compute < ^ ± > which turns out to be equal to GRS2fc-i(a:, y * y) (see [MCMMPllb] for 
more details). It suffices to use the Sidelnikov and Shestakov algorithm [SS92] to compute a pair 
(aj, y *y) describing < e &%\ > as a GRS code. From this, we deduce a pair (x, y) defining the secret 
code c £ as a GRS code. The final phase, that is, recovering a possible (A, a) pair and using it to 
decode the public code "r^pub, is detailed in Appendix [Bj 

3 There are however cases where the dimension might be even smaller. Let us take for instance a £ GRSi(x,y) 
for some integer I ^ 1 where GRSfc(x,t/) = c €. From Proposition [2] we know that < ^ 2 >= GRS2k-i{x,y * y) 
and it can be checked similarly that ^ '* a C GRSfe+;_i(x, y * y). It follows immediately from the first statement 
of Proposition [4] that the dimension of < ^p uh > is upperbounded by max{2fc — 1, k + I — 1} + 1 which can be 
obviously smaller than 3/c — 1. 
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Algorithm 1 Recovering < rf\±. 
Input: A basis {g 1 , . . . ,g k } of ff puh . 
Output : A basis L of . 
1: repeat 

2: for 1 sC i sC 3 do 

3: Randomly choose z 4 in ^ pu b 

4: end for 

5: 0$ < {zi * gj | 1 < i < 3 and 1 < j ^ k} > 
6: until dim(£8) < 2fc + 2 and dim(< 2:1,22,23 >) = 3 
7: £ <— {z\,Z2, z.i} 
8: s <- 4 

9: while s fc — 1 do 
10: repeat 

11: Randomly choose z s in ^p U b 

12: ^ <- < {zi-kgj | i 6 {l,2,s} and 1 < j < k} > 

13: until dim(^) < 2k + 2 and dim (< £ U {z s } >) = s 

14: £^£u{z a } 

15: s <- s + 1 

16: end while 

17: return C; 



4.2 Using duality when the rate is larger than ^ 

The codes suggested in jBBC+lll §5.1.1,§5.1.2] are all of rate significantly larger than | , for instance 
Example 1 p. 15 suggests a GRS code of length 255, dimension 195 over CF(256), whereas Example 
2. p. 15 suggests a GRS code of length 511, dimension 395 over CF(512). The attack suggested 
in the previous subsection only applies to rates smaller than ^. There is a simple way to adapt 
the previous attack for this case by considering the dual of the public code. Note that by 

Proposition El there exists y' in GF(q) n for which we have < ^ 7j ~ = GRS n _fc(a;, y'). Moreover, 
displays a similar structure as ^p U b- 

Lemma 2. For any c from there exists an element p in < ^ 7_L such that: 

c = p+ (p - a)b. (7) 

The proof of this lemma is given in Appendix [A] It implies that the whole approach of the 
previous subsection can be carried out over < #™ b . It allows to recover the secret code < ^ 3_L and 
therefore also Sf. This attack needs that 2(n — k) + 2 < n, that is 2fc > n + 2. In summary, 
there is an attack as soon as k is outside a narrow interval around n/2 which is [^ip, ^o^] • We 
have implemented this attack on magma for the aforementioned set of parameters suggested in 
[BB C + li] . namely n = 255, q = 2 8 , k = 195 and the average running time over 25 attacks was 
about 2 weeks. 
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A Proofs of Section [4] 

The first result that will be used throughout this section is a lemma expressing RII in terms of 
two vectors in GF(q) n : 

Lemma 3. Assume that R is of rank 1, then RII 1 is of rank 1 and there exist a and b in GF(q) n 
such that 

RII 1 = b T a. 

Proof. The dimension of the column space of R is the same as the dimension of the column space 
of RII . Since R is of rank 1, this column space has dimension 1 which implies that RII is 
also of rank 1. From the fact that the column space of RII is of dimension 1, this implies that we 
can find bi,...,b n and a±, . . . ,a n in GF(q) such that 

RU 1 = (bi a j) l^i^n ■ 

We let a = f (aj)i^xn and b = f (6j)i^„. □ 
From now on we define 

P d = 1 + RII 1 = 1 + b T a. 

We will also need the following lemma 
Lemma 4. // Q is invertible, then so is P and 

P 1 = I b T a. 

1 + ab 

Proof We first observe that Q = II + R = (I + RII" 1 ) II = PII. Therefore P is invertible if and 
only if Q is invertible. Moreover 



P I 



(i b T a] =(I + b T a) (i b T a] 

\ 1 + ab J y ' V 1 + ab J 



1+ [1 z — - I b T a — -b T ab T a 



1 + ab/ 1 + ab 

a ■ b , T a ■ b 

I H b 1 a b 1 a 

1+ab 1+ab 

I. 



□ 



A.l Proof of Lemma Q] 

Let 



A d ^ -P W = -(l b T a] b T 

V 1 + ab 

= - b T + ab b T 
1 + ab 



1 ,T 



1 + ab 



b . (8) 
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Let c be an element of % ub . Since ^ scc = % u bQ = % u h(n+R) = < ^ 7 pub (/ + -Ri7" )il = ^^PJJ 
we obtain ^ sec i7 _1 = ^pub-P and therefore 

^pub = &secll l )P 1 = ^P . 

From this obtain that there exists p in ^€ such that 

c = pP 1 

b • p 
1 + a ■ b 
= p + (Xp)a. 



A. 2 Proof of Proposition |4] 

Let c and c' be two elements in ^p U b- By applying Lemma Q] to them we know that there exist two 
elements p and p' in ^ such that 

c = p + (A • p)a 
d = p' + (A • p>. 

This implies that 

c * c' = (p + (A • p)a) * (jpf + (A • p')a) 

= p*p' + ((A • p)p' + (A • p')p) * a + (A ■ p)(A • p')a * a (9) 

It will be convenient to bring the notation 

— tJC A • • • A 3y • 

V v ' 

i times 

In other words with this notation, ^€ = GRS&(a;, y) is generated by the y*x*'s for i in {0, 1, . . . , k — 
1}. Since A ^ c tf ± , there exists i G {0, . . . , k — 1} such that A- (y*x l °) / 0. For i in {0, 1, . . . , k — 1}, 
let 

W j = f A • (y -k x l °)y * x 2 + A • (y *x l )y * x l ° + \ ■ (y * x l °)\ ■ (y-kx l )a 
Vij = f A • (y * a^)y * as 1 + A • (y * a: J )y * x J : + A • (y * a;*)A • (y * £c J )a 

We claim that 

Lemma 5. Lei V 6e t/ie vector space generated by the 's for i,j in {0, 1, . . . , k — 1}. The dimen- 
sion ofV is less than or equal to k. 
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Proof. We prove that V is generated by the Uj's for i in {0, 1, . . . , k — 1}. This can be proved by 
noticing that 

X-y*x j i Aijm' _ (A-2/*3:')(A-j;*3:J) 
Ay*a: 4 " l ^ Aj/*a: s "3 (A-y^o )(A-j/*a: J ) "»0 

= (A -y-kx^y-kx" 1 + ^'^y^**^ y * x io + (A -y*x*)(A y*x j )a 

+ 

(A-y* g*)y * ^ + (A ' B X!2S'T Bi) » * a< ° + ( A • y * xi ) ( A • y * xj ) a 

{ 2 (X y Tyi*r XJ) y * xi ° + (A ■ y*x l )(\ ■ y * xf)a) 
= (Ay* a^')j/ * a; 1 + (A • y * a; l )y * + (A • y * a: l )(A • y * aj J ')a 



□ 

To simplify notation we assume here that * takes precedence over the dot product, that is Xy-kx 3 = 
A - (y-kx 3 ). Observe now that Equation (jSJ) implies that c*c' belongs to < ^ 2 > -\-V -ka. The space 
generated by the c*c"s has therefore a dimension which is is upper-bounded by 2k — 1 + k = 3k — 1. 

A. 3 Proof of Proposition [5] 

This follows immediately from the fact that we can express Zi in terms of the gj's, say 



J2 ai i9j 



'l — / J ^IJVy 



We observe now that we have the following three relations between the Zi -k g/s: 

^2 a 2j z i*9j- ^2 aijZ2*9j = Q (10) 

a3jZi*9j- a ij z 3*9j = (11) 

^2 a 2j z 3*9j~ ^2 a 3j z 2*9j=0 (12) 

(1101) can be verified as follows 



^2 a 2j z i*9j- ^2 a lj z 2*9j = z\* z 2 - Zi-k z 2 = ®. 
The two remaining identities can be proved in a similar fashion. 
A. 4 Proof of Proposition [6] 

Assume that the Zj's all belong to ^-l. For every gj there exists pj in "rf such that g^ = Pj + Xp^a. 
We obtain now 

Zi * g j =Zi* {pj + (A • pj)a) 

= Zi-kpj + (X-pj)zi-ka 

G < ( tf 2 > + <zi-ka> + <z 2 ka> + <z 3 -ka> (13) 
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This proves the first part of the proposition, the second part follows immediately from the first part 
since it implies that the dimension of the vector space generated by the Zi * g^ 's is upperbounded 
by the sum of the dimension of < c io 2 > (that is 2k — 1) and the dimension of the vector space 
spanned by the Z{ *a's (which is at most 3). 

A. 5 Proof of Lemma [2] 

The key to Lemma[2]is the fact that the dual of ^p U b is equal to ^ 3_L P T . Indeed ^pub = c i?P~ 1 and 
therefore for any element c of ^p U b there exists an element p of 'W such that c = pP . Observe 
now that every element c 1 - in satisfies c • c 1 - = and that 

= c • c- 1 = pP 1 c L = p c L (P" 1 ) 7 . 

Therefore = < ^ 7_L P T . This discussion implies that there exists an element p^~ in such that 

c ± =p ± P T 

= p ± {l + b T a) T 
= p ± + p ± a T b 
= p ± + {p 1 - ■ a)b. 
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B Recovering a and A from ^ and ^ A x 
B.l The structure of ^ pub n and <^ b n c € 1 - 

The attack which was given in Section 0] enables to find ^ and ^± which is equal to the intersection 
^pub H '. From this we deduce %f and ^ PI c £ p ^ b . These intersections are related to A and a by 

Lemma 6. 

%ub n = {p € tf|p • A = 0} (14) 
^ L »fen^ = {pG^ ± |p-a = 0} (15) 

Proof. Since it is assumed that A €" "jf , we deduce that «i = {p € ff |p • A = 0} is a subcode of ^ 

of dimension k — 1. Let p be an element of ^1. Notice now that c = f p + (A • p)a belongs to ^p U b 
from Lemma [Hand that c = p since A • p = by definition of ^1. Therefore ^ C ^ pu b H Since 
^pub 7^ ^ by assumption, we obtain that dim (^p ub H ^ ) < k. This implies that ^1 = ^p U b H ^ 
because the dimension of ^1 is — 1 as explained above. This proves Equation (114p . 
To prove Equation (fl~5j) , let us first compute the dimension of < #™ b H < ^ 7 " L : 

dim(^ b n <«f x ) = dim(«£ b ) + dim(^) - dim(«£ b + ^) (16) 

= (n-/c) + (n-A;)-dim((^p ub n^ 7 )) ± (17) 
= (n-k) + (n-k)-(n-(k-l)) (18) 
= n-k-l. (19) 

Let ^ 2 = f {P G Sf- L |p • a = 0}. We first claim that dim <j? 2 = n - fc - 1. 

If this were not the case we would have dim ^2 = n — k which would imply that ^2 = < ^ 7_L and 
o£^. Consider now an element c of c ^^ - By Lemma [2] we know that there exists p in c €^ such 
that c = p+ (ap)b. Since (a,p) = 0, this would imply that c = p and that c would also be in c t? ± . 
This would prove that 'jf = < #p^ lb which would itself imply that ^* = ^ pu b- This is a contradiction. 

We finish the proof similarly to the previous case by invoking Lemma [2] for an element p in ^2 
and arguing that: 

(i) c = p + (a • p)b is in "Jfi, by Lemma El 

(ii) c = p because a p = and therefore ^2 C ^p^ b n^- 1 . The equality of both subspaces is proved 
by a dimension argument (both have dimension n — k — 1). □ 

B.2 Recovering a valid (a, A) pair 

Choose now an arbitrary element r\ in ^J^, \ < ^ 7_L and choose any element bo 111 (^pub n < ^)- L \ '^ 7 - L 
and any element ao in ( < ^ lb H "Jf ) \ ^ such that 

ao'n/o (20) 

a • 6 = (21) 

This is obviously possible by arguing on the dimensions of (^ pu b n "rf )^ and (^J^b ^ < ^~ L ) ± - We are 
going to show that up to a multiplicative constant these two elements can be chosen as a valid 
(a, A) pair, where we use the following definition 
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Definition 3 (valid (a, A) pair for (^ pu b) ^))- We say that a couple (ao,Ao) of elements of 
GF(q) n x GF(q) n forms a valid (a, A) pair for (^puij^O if an d on ^V if 

(i) a • A / -1, 

(ii) for any element c in ffpub there exists an element p inff such that c = p + (Ao • p)ao- 

We will see in Subsection IB. 31 that we can easily decode the public code ^ pu b with the help of such 
a valid (a, A) pair. 

We first observe that 

Lemma 7. There exist ao and (3q in GF(q) \ {0}, p in ^ ' , q in c € such that 

ao=Po + a a (22) 
bo = Qo + AA (23) 

Proof, (^pub H C <f)- L is a subspace of dimension n — k + 1 which contains < ^ _L and A, and therefore 
also b. b does not belong to < ^ 3 - L since A is assumed to be outside < ^ _L . This implies that 

(^pub n y) 1 - = < b > (24) 

Since bo does not belong to c to 1 - by definition, there necessarily exist /3o in GF{q) \ {0} and q in 
c (o such that 

bo = <?o + AA 

The statement on ao is proved similarly. □ 
Choose now an arbitrary element Pi in ^ \ ^ pu b- Let 

def -(Pi-n) (25) 
7 (6o-Pi)(oo-ri) 1 j 

This definition make sense because ao • r\ ^ by choice of ao and bo "Pi 7^ because p x E ^V^pub 
and by the characterization of the intersection ^ n ^> u b °f Lemma [6l 

Proposition 7. (ao,7&o) * s a wa/id (a, A) pair for (^€ vu h^\ 
Proof. The first property of an (a, A) pair is clearly met: 

a • 7& = 7^ -1 



by using (|2T|) . 

Let us now prove that for every p in ^ , we have 

P + 7&0 -pao G "^pub- 
First consider a p which belongs to n ^p U b- We have 

7& • p = 7A)& + Qo • P 

= 7 (fob p + q p) 
= 

because fob ■ p = from the characterization of ^ R ^p U b given in Lemma [6] and q • p = because 
q belongs to ^ and p belongs to This implies 

P + (7&o • p)a Q = P 
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which belongs to ^p U b by definition of p. 

Let us prove now that c\ = f p 1 + (7&0 • Pi)<*o a ^ so belongs to ^pub- For this purpose we are 
going to prove that c\ is orthogonal to all elements of c ^^ b - We achieve this by first proving that 
C\ is orthogonal to any element q 2 in the intersection fl : 

ci • q 2 = (Pi + (7^0 • Pi)a ) • q 2 

= Pi ■ Q2 + l( b o -Pi)oq • <?2 
= 

because p x • q 2 = from the fact that p 1 € and q 2 € ^ 7_L and ao ■ q 2 = by using the 
characterization of ^ given in Lemma El We finish the proof by proving that c\ is also 
orthogonal to T\\ 

ci • n = (pj + (760 • Pi)ao) • n 

= Pi -n + 7(60 -Pi)oo ' »"i 

= Pi • r x - — -^(60 • Pi h • ri) 
(b -Pi)(o • ri) 

= 0. 

This implies that ci belongs to ^pub- Notice now that the mapping <p : u — > u + (7^0 ■ w ) a o is a one- 
to-one linear mapping whose inverse is given by v — > v + (8 ■ v)ao where d = — i +7 b . O0 7^0 = — 7^0 
since 7&0 1 a o = by using (|2ip . We have therefore proved that a basis of is transformed into a 
basis of ^p U b by the mapping 0. By linearity of the mapping, we deduce that for any element c in 
^p U b there exists an element p in ^ such that c = p + (7&0 • p) a o- D 

B.3 Decoding the public code 

Assume that we have a valid (a, A) pair for (^pub,^), say it is (an, An). We want to decode the 

def 

vector z = c + e where e is an error of a certain Hamming weight which can be corrected by the 
decoding algorithm chosen for and c is an element of the public code. We know that there exists 
p in such that 

c = p+ (A -p)a . (26) 

We compute z{a) = f z + aao for all elements a in GF(q). One of these elements a is equal to 
— Ao • p and we obtain z{a) = p + e in this case. Decoding z(a) in ^ will reveal p and this gives c 
by using (|26|) . 



